Proposal for an Implementation Guide for a Computer Security Incident Response Team on a University Campus
Abstract
:1. Introduction
2. Preliminary Concepts
2.1. Computer Security Threat
- Intentional threats happen when you try to put the organization at risk. For example, the theft of information using techniques such as logical trashing that searches the garbage or trash for information that serves to cause fraud, theft and data disclosure.
- Unintentional threats are threats that do not seek to expose a vulnerability but put an organization’s information at risk—for example, when natural disasters occur and the infrastructure is affected, as well as the computers that handle the data.
2.2. Computer Security Vulnerabilities
2.3. Computer Security Incident Response Team
3. Method
3.1. Analysis for the Creation of an Academic CSIRT
3.2. Academic Services Catalog
3.3. Information Security Analysis
3.4. Analysis of IT Requirements Oriented to Help Desk
3.5. Preparation of a CSIRT
3.6. Power of a Response Team to Computer Security Incidents
3.7. Responsibilities
3.8. Organizational Structure
- For a security team, formed by the absence of a formal CSIRT in the organization, the responsibilities for security incidents are assumed by the IT department and resolved as a daily activity or task. For this, it is necessary that two fundamental teams are included in the management of computer security and data protection; the Red Teams and the Blue Teams. To these teams must be added a third—the Purple Team. Red Teams and Blue Teams carry out complementary work to detect vulnerabilities, prevent cyberattacks and emulate threat scenarios. Red Teams emulate attackers, using tools to exploit security vulnerabilities in systems or applications, pivoting techniques, and organization objectives [26]. The Red Team carries out a process of emulating threat scenarios that an organization can face, analyzing security from the attackers’ point of view and giving the security team (Blue Team) the possibility of defending itself in a controlled and constructive way of attacks. While the pen testers perform an intrusion process with pivoting techniques, social engineering and other hacking tests, which then ends with a report in which vulnerabilities are identified. Therefore, the Red Team is a training tool for the Blue Team, where the real capacity is that an organization has to protect its critical assets, and its detection and response capabilities are evaluated considering both the technological, process, and human levels [27]. The main objective of the Blue Team is to carry out evaluations of the different threats that may affect organizations, monitor and recommend action plans to mitigate risks. In addition, in cases of incidents, they perform response tasks, including forensic analysis of the affected machines, traceability of attack vectors, proposing solutions and establishing detection measures for future cases. The Purple Teams exist to ensure and maximize the effectiveness of the Red and Blue Teams [28]. They do so by integrating the defensive tactics and controls of the Blue Team with the threats and vulnerabilities found by the Red Team. Ideally, it should not be a team, but rather a dynamic of cooperation between the red and blue teams. The objective of a purple team is to manage the security of the organization’s assets, perform tests to verify the effectiveness of security mechanisms and procedures, and define or develop additional security controls to reduce the risk of the organization. The purple team as such makes sense in small organizations where due to constraints such as insufficient budget; they cannot support the existence of an independent Red Team and Blue Team.
- The centralized model is made up of a full-time CSIRT within the organization, which assumes all incidents related to computer security within the organization.
- Distributed model; this model must consist of at least one security manager or department head who supervises and coordinates the members who are part of it. Generally, they are members of the organization who are assigned a partial or total incident depending on the difficulty or critical level. This model is suitable for large companies in which a centralized CSIRT will not be sufficient.
- The combined model is a hybrid model between the centralized and distributed model, which has a team manager and trained members who will perform designated tasks.
- Coordination model: made up of external organizations that facilitate and coordinate the resolution of security incidents, generally assisting specific communities or organizations.
- Campus model; this model is focused on academic and research CSIRTs. Made up of several universities from different locations, making it possible for this service to spread throughout a nation. One of the main characteristics of this model is that a mother or central CSIRT coordinates it. This is in charge of communicating with the other academic CSIRTs, as well as providing information to all members that make up or use the campus model, allowing collaboration between them and in the same way reducing costs by only using the service.
3.9. Availability of Services
3.10. Proposed Services When Starting
3.11. Personnel Requirements
3.12. Competencies
3.12.1. Personal Skills
- Ability to express a technical problem in simple words for the understanding of the user.
- Be analytical.
- Be trustworthy.
- Fast learning.
- Have labor flexibility.
- Sociable.
- To be organized.
- Be communicative.
3.12.2. Technical Skills
- Technological knowledge.
- Knowledge of different operating systems.
- Have extensive knowledge of networks, as well as their components.
- Have a high knowledge of computer security.
- Knowledge about risk assessment.
- Application knowledge.
3.12.3. Additional Skills
- Level of education according to the functions to be performed.
- Experience dealing with computer security issues.
- Having the time to make trips, sometimes face-to-face support will be necessary to solve an incident.
3.13. Training
- FIRST
- CERT/CC
- SANS institute
- TRANSITS
3.14. Tools and Infrastructure
- Physical structure
- Specific include:
- ◦
- Ticket systems to enter an incident digitally.
- ◦
- Tools for forensic analysis.
- ◦
- Security tools (antivirus).
- ◦
- Secure communication mechanisms.
- ◦
- Alarm system.
- ◦
- Surveillance systems.
- ◦
- Information backup systems, to bring a system online as soon as possible.
- ◦
- Network intended for CSIRT operations.
3.15. Analysis of Security Procedures
4. Results
4.1. Planification
4.2. Application of the ISO/IEC 27002 Standard
4.3. Concerned Parties
4.4. Services Provided
4.5. Organizational Structure
4.6. Security Politics
4.6.1. IT Responsibilities in Hardware Infrastructure
- Check the specifications of the equipment purchased with those established in the purchase contract. If you do not meet this condition, the device must be returned immediately.
- Manage preventive technical maintenance of the devices used in the organization, together with the supplier.
- Conduct training on the correct use of installed devices and programs.
- In charge of installing the devices and programs, as well as verifying the correct location of the device in the workplace.
- Verify the physical area where the device will be installed is optimal and has electrical power, structured wiring, temperature, etc.
4.6.2. Policies for Hardware Infrastructure Users
4.6.3. IT Responsibilities in Software Infrastructure
- Inventory of applications and programs installed on devices, making sure that they all have valid licenses.
- Determine if the device is active or in operation and in the same way those that are not active.
- Responsible for the storage of computer programs.
4.6.4. Responsibilities of Software Infrastructure Users
- Prohibition of downloading and installing software that poses a threat to the organization.
- Denied the entry of storage devices that were not provided by the organization.
- It is forbidden to alter the antivirus functions, as well as to deactivate or uninstall it.
4.7. Execution
4.8. Knowledge Base
4.9. Incident Management
4.10. Resolution Time
4.11. Incident Treatment
5. Discussion
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Conflicts of Interest
References
- Skopik, F.; Settanni, G.; Fiedler, R. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 2016, 60, 154–176. [Google Scholar] [CrossRef]
- Martins, R.D.J.; Knob, L.A.D.; Da Silva, E.G.; Wickboldt, J.A.; Schaeffer-Filho, A.; Granville, L.Z. Specialized CSIRT for Incident Response Management in Smart Grids. J. Netw. Syst. Manag. 2018, 27, 269–285. [Google Scholar] [CrossRef]
- Tanczer, L.M.; Brass, I.; Carr, M. CSIRTs and Global Cybersecurity: How Technical Experts Support Science Diplomacy. Glob. Policy 2018, 9, 60–66. [Google Scholar] [CrossRef]
- Espín, F.V. Guidelines and Their Challenges in Implementing CSIRT in Ecuador. In Advances in Intelligent Systems and Computing; Springer Science and Business Media, LLC: Riobamba, Ecuador, 2021; pp. 239–251. [Google Scholar]
- Van Der Kleij, R.; Kleinhuis, G.; Young, H. Computer Security Incident Response Team Effectiveness: A Needs Assessment. Front. Psychol. 2017, 8, 1–8. [Google Scholar] [CrossRef] [PubMed]
- Zamzuri, Z.F.; Manaf, M.; Ahmad, A.; Yunus, Y. Computer Security Threats towards the E-Learning System Assets. In Proceedings of the Communications in Computer and Information Science, Pahang, Malaysia, 27–29 June 2011; pp. 335–345. [Google Scholar]
- Graham, J.H.; Yu, Y. Computer System Security Threat Evaluation Based Upon Artificial Immunity Model and Fuzzy Logic. In Proceedings of the 2005 IEEE International Conference on Systems, Man and Cybernetics, Waikoloa, HI, USA, 10–12 October 2005; Volume 2, pp. 1297–1302. [Google Scholar]
- ESET. Security Security Report. Security 2020, 7, 1–15. [Google Scholar]
- Mulwad, V.; Li, W.; Joshi, A.; Finin, T.; Viswanathan, K. Extracting Information about Security Vulnerabilities from Web Text. In Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, Lyon, France, 22 August 2011; Volume 3, pp. 257–260. [Google Scholar]
- Rao, D.; Stupans, I. Exploring the potential of role play in higher education: Development of a typology and teacher guidelines. Innov. Educ. Teach. Int. 2012, 49, 427–436. [Google Scholar] [CrossRef]
- Narasimhan, R.; Kim, S.W.; Tan, K.C. An empirical investigation of supply chain strategy typologies and relationships to performance. Int. J. Prod. Res. 2008, 46, 5231–5259. [Google Scholar] [CrossRef]
- Panko, R.R. Computer Security Incident Response Teams (CSIRTs). Handb. Comput. Netw. 2012, 3, 632–638. [Google Scholar]
- Bhaskar, R.A. Proposed Integrated Framework for Coordinating Computer Security Incident Response Team. J. Inf. Priv. Secur. 2005, 1, 3–17. [Google Scholar] [CrossRef]
- Fuertes, W.; Reyes, F.; Valladares, P.; Tapia, F.; Toulkeridis, T.; Pérez, E. An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence. Systems 2017, 5, 52. [Google Scholar] [CrossRef] [Green Version]
- Tchoubar, T.; Sexton, T.R.; Scarlatos, L.L. Role of Digital Fluency and Spatial Ability in Student Experience of Online Learning Environments. Adv. Intell. Syst. Comput. 2019, 1, 251–264. [Google Scholar] [CrossRef]
- Silva, A.; Silva, K.; Rocha, A.; Queiroz, F. Calculating the trust of providers through the construction weighted Sec-SLA. Futur. Gener. Comput. Syst. 2019, 97, 873–886. [Google Scholar] [CrossRef]
- Wang, A.J.A. Information security models and metrics. In Proceedings of the 43rd Annual Southeast Regional Conference on-ACM-SE 43, New York, NY, USA; 2005; Volume 2, pp. 2178–2184. [Google Scholar]
- Stanton, J.M.; Stam, K.R.; Mastrangelo, P.; Jolton, J. Analysis of end user security behaviors. Comput. Secur. 2005, 24, 124–133. [Google Scholar] [CrossRef]
- Henning, R.R. Security service level agreements: Quantifiable security for the enterprise? In Proceedings of the New Security Paradigm Workshop, New York, NY, USA, 1 September 1999; pp. 54–60. [Google Scholar]
- Lichtenstein, S.; Nguyen, L.; Hunter, A. Issues in IT Service-Oriented Requirements Engineering. Australas. J. Inf. Syst. 2005, 13, 176–191. [Google Scholar] [CrossRef] [Green Version]
- Wiant, T.L. Information security policy’s impact on reporting security incidents. Comput. Secur. 2005, 24, 448–459. [Google Scholar] [CrossRef]
- Kjaerland, M. A classification of computer security incidents based on reported attack data. J. Investig. Psychol. Offender Profiling 2005, 2, 105–120. [Google Scholar] [CrossRef]
- Wiik, J.; Gonzalez, J.J. Chronic Workload Problems in CSIRTs. In Proceedings of the 27th International Conference of the System Dynamics Society, Albuquerque, NM, USA, 26–30 July 2009; pp. 1–19. [Google Scholar]
- Skierka, I.; Morgus, R.; Hohmann, M.; Maurer, T. CSIRT Basics for Policy-Makers. Researchgate 2015, 1–28. Available online: https://www.researchgate.net/publication/323358187_CSIRT_Basics_for_Policy-Makers (accessed on 15 August 2021).
- Grobler, M.; Bryk, H. Common challenges faced during the establishment of a CSIRT. 2010 Inf. Secur. South Afr. 2010, 1, 1–6. [Google Scholar] [CrossRef]
- De Cusatis, C.; Bavaro, J.; Cannistraci, T.; Griffin, B.; Jenkins, J.; Ronan, M. Red-blue team exercises for cybersecurity training during a pandemic. In Proceedings of the 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 27–30 January 2021; pp. 1055–1060. [Google Scholar]
- Bresch, C.; Michelet, A.; Amato, L.; Meyer, T.; Hely, D. A red team blue team approach towards a secure processor design with hardware shadow stack. In Proceedings of the 2017 IEEE 2nd International Verification and Security Workshop (IVSW), Thessaloniki, Greece, 3–5 July 2017; pp. 57–62. [Google Scholar]
- Meszaros, T.; Despinasse, F. Innovation in defense for crisis management: Red teams and blue teams. Rev. Def. Natl. 2020, 1, 101–105. [Google Scholar]
- Naseri, A.; Azmoon, O. Proposition of Model for CSIRT: Case Study of Telecommunication Company in a Province of Iran. Int. J. Comput. Sci. Issues 2012, 9, 156–160. [Google Scholar]
- Wiik, J.; Gonzalez, J.J. Persistent Instabilities in the High-Priority Incident Workload of CSIRTs. In Proceedings of the 27th International Conference of the System Dynamics Society, Albuquerque, NM, USA, 26–30 July 2009; pp. 1–15. [Google Scholar]
- Bieker, F.; Friedewald, M.; Hansen, M.; Obersteller, H.; Rost, M. Privacy Technologies and Policy. In Proceedings of the Proceedings of the 4th Annual Privacy Forum, (APF 2016); Frankfurt, Germany, 7–8 September 2017, Volume 10518, pp. 21–37.
- Wiik, J.; Gonzalez, J.J. Limits to Effectiveness in Computer Security Incident Response Teams. In Proceedings of the 23rd International Conference of the System Dynamics Society, Boston, MA, USA, 1 August 2005; pp. 152–153. [Google Scholar]
- Khan, R.; Khan, S.U.; Zaheer, R.; Khan, S. Future internet: The internet of things architecture, possible applications and key challenges. In Proceedings of the 10th International Conference on Frontiers of Information Technology, Islamabad, Pakistan, 17–19 December 2012; pp. 257–260. [Google Scholar]
- Mahmoodi, Y.; Reiter, S.; Viehl, A.; Bringmann, O.; Rosenstiel, W. Attack Surface Modeling and Assessment for Penetration Testing of IoT System Designs. In Proceedings of the 2018 21st Euromicro Conference on Digital System Design (DSD), Prague, Czech Republic, 29–31 August 2018; pp. 177–181. [Google Scholar]
- Ruefle, R.; Dorofee, A.; Mundie, D.; Householder, A.D.; Murray, M.; Perl, S.J. Computer Security Incident Response Team Development and Evolution. IEEE Secur. Priv. Mag. 2014, 12, 16–26. [Google Scholar] [CrossRef]
- Search, H.; Journals, C.; Contact, A.; Iopscience, M.; Address, I.P. Improving the Effectiveness of CSIRTs. Glob. Cyber Secur. Capacit. Cent. 2015, 158, 211–235. [Google Scholar]
- Elhissi, Y.; Haqiq, A. Information system at the Moroccan University: A business intelligence tool for management and communication of scientific research. In Proceedings of the 2016 International Conference on Information Technology for Organizations Development (IT4OD), Fez, Morocco, 30 March–1 April 2016; pp. 1–5. [Google Scholar] [CrossRef]
- Chen, T.R.; Shore, D.B.; Zaccaro, S.J.; Dalal, R.S.; Tetrick, L.E.; Gorab, A.K. An Organizational Psychology Perspective to Examining Computer Security Incident Response Teams. IEEE Secur. Priv. Mag. 2014, 12, 61–67. [Google Scholar] [CrossRef]
- Oh, S.-R.; Kim, Y.-G. Security Requirements Analysis for the IoT. In Proceedings of the 2017 International Conference on Platform Technology and Service (PlatCon), Busan, Korea, 13–15 February 2017; pp. 1–6. [Google Scholar]
- Kowtha, S.; Nolan, L.A.; Daley, R.A. Cyber security operations center characterization model and analysis. In Proceedings of the 2012 IEEE Conference on Technologies for Homeland Security (HST), Waltham, MA, USA, 13–15 November 2012; pp. 470–475. [Google Scholar]
- Janos, F.D.; Dai, N.H.P. Security Concerns towards Security Operations Centers. In Proceedings of the 2018 IEEE 12th International Symposium on Applied Computational Intelligence and Informatics (SACI), Timisoara, Romania, 17–19 May 2018; pp. 273–278. [Google Scholar] [CrossRef]
- Schmitz, C.; Pape, S. LiSRA: Lightweight Security Risk Assessment for decision support in information security. Comput. Secur. 2020, 90, 101656. [Google Scholar] [CrossRef]
- Valladares, P.; Fuertes, W.; Tapia, F.; Toulkeridis, T.; Perez, E. Dimensional data model for early alerts of malicious activities in a CSIRT. In Proceedings of the 2017 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Seattle, WA, USA, 9–12 July 2017; Volume 49, pp. 74–81. [Google Scholar] [CrossRef]
- Marinos, L. Risk management and risk assessment at ENISA: Issues and challenges. In Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06), Vienna, Austria, 20–22 April 2006; Volume 2006, pp. 2–3. [Google Scholar]
- Disterer, G. ISO/IEC 27000, 27001 and 27002 for Information Security Management. J. Inf. Secur. 2013, 04, 92–100. [Google Scholar] [CrossRef] [Green Version]
- Kamarudin, S.; Mohammad, M.I. File Security based on Pretty Good Privacy (PGP) Concept. Comput. Inf. Sci. 2011, 4, 10–28. [Google Scholar] [CrossRef]
- Uyana, M.; Escobar, M. Respuestas Ante Incidentes De Seguridad Informáticos (Csirt). 2013, p. 1. Available online: http://repositorio.espe.edu.ec/bitstream/21000/8123/1/AC-GSR-ESPE-047639.pdf (accessed on 15 August 2021).
- Hssina, B.; Bouikhalene, B.; Merbouha, A. Europe and MENA Cooperation Advances in Information and Communication Technologie; Rocha, A., Mohammed, S., Felgueiras, C., Eds.; Springer: Berlin, Germany, 2016; Volume 520, ISBN 978-3-319-46567-8. [Google Scholar]
- Wiik, J.; Gonzalez, J.J.; Kossakowski, K.-P. Effectiveness of Proactive CSIRT Services. Available online: https://www.researchgate.net/publication/221002694_Effectiveness_of_Proactive_CSIRT_Services (accessed on 15 August 2021).
Catalogue | Service |
---|---|
Technical Support | |
Equipment Support (Hardware) | Telephone Help |
Remote connection | |
Preventive Maintenance | |
Corrective maintenance | |
Guarantee | |
On-site support | |
Antivirus | Kaspersky antivirus |
Utility Software | Matlab |
Office 2013 | |
Adobe | |
Windows/MacOS/Linux/Android/iOS | |
Matlab | |
Online services | Microsoft office 365 |
Technological services | |
Change printer toner | |
Ink change | |
Parking | Parking ticket machine |
Telephony | Telephone extensions |
Connectivity | |
Wifi | SSID |
Signal quality | |
Navigation | Blocking pages with spam, virus and insecure content |
Accessibility | |
Password | User lock |
Change of password | |
User permits |
Target | Area | Recipients |
---|---|---|
Academic CSIRT | Institutions, universities, educational units, etc. | Students, researchers, visitors, teachers, administrators and the university community. |
Commercial CSIRT | Service provider, Internet service providers, access provider, independent providers. | Clients and organizations. |
Internal CSIRT | Institutions, organizations and public or private companies. | ICT area, users and administrators. |
National CSIRT | Government or state, which processes incidents outside the border limits. | The government CSIRT is sometimes referred to as the national CSIRT. |
CSIRT SMEs | Small and medium businesses. | They represent the largest % of companies. |
Domain | Domain Characteristic |
---|---|
Control objectives | Number of control targets |
Controls | Number of controls per objective |
Description | Defining the target grouped in a domain |
ID | Importance of the domain |
CC | Control compliance |
IC | Importance of control |
Scale | Control compliance scale |
Impact | High | Half | Low | |
---|---|---|---|---|
Urgency | ||||
High | 1 | 2 | 3 | |
Half | 2 | 3 | 4 | |
Low | 3 | 4 | 5 |
Risk Classification | Response Time |
---|---|
High | 30 min. or immediately |
Half | 1 to 2 h |
Low | 2 h onwards |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Villegas-Ch., W.; Ortiz-Garces, I.; Sánchez-Viteri, S. Proposal for an Implementation Guide for a Computer Security Incident Response Team on a University Campus. Computers 2021, 10, 102. https://doi.org/10.3390/computers10080102
Villegas-Ch. W, Ortiz-Garces I, Sánchez-Viteri S. Proposal for an Implementation Guide for a Computer Security Incident Response Team on a University Campus. Computers. 2021; 10(8):102. https://doi.org/10.3390/computers10080102
Chicago/Turabian StyleVillegas-Ch., William, Ivan Ortiz-Garces, and Santiago Sánchez-Viteri. 2021. "Proposal for an Implementation Guide for a Computer Security Incident Response Team on a University Campus" Computers 10, no. 8: 102. https://doi.org/10.3390/computers10080102
APA StyleVillegas-Ch., W., Ortiz-Garces, I., & Sánchez-Viteri, S. (2021). Proposal for an Implementation Guide for a Computer Security Incident Response Team on a University Campus. Computers, 10(8), 102. https://doi.org/10.3390/computers10080102